EDPB stakeholder event write-up: From “no one wants political ads” to “political parties have to be able to reach their local audience”, today’s topic wasn’t very sexy (the “processing of personal data for the targeting or delivery of political advertisements”) but it still was a colourful event. No bar fight unlike some previous stakeholder events, but the questions handled in the morning in particular allowed for good back and forth.
The Political Advertising Regulation or TTPA basically says that political advertising can be personalised, but not based on special categories of personal data.
In summary, the following came out of the event:
1. Political advertising has disappeared from several platforms as a result of the TTPA, because compliance is too complex to arrange.
2. Political parties and actors do want to continue to be able to reach their audience, even if not targeted based on special categories of data (despite overinterpretations of Lindenapotheke and OT). Local election issues must be brought to local audiences online as well, for democratic participation and visibility too, and the TTPA must not become a means of blocking such ads. Yet these work on the basis of non-precise geolocation, age ranges etc. This should continue to be permitted, and this processing should not be seen as processing of special categories of personal data (some disagreed though).
3. Targeting and ad delivery are two very different concepts, and the processing of personal data for both requires consent under the TTPA… while IP addresses, which authorities invariably consider as personal data (despite Breyer and SRB) are *necessarily* used for ad delivery purposes. So they must recognise that technical requirements for ad delivery must be permitted without consent (otherwise, even contextual political ads require consent).
4. Transparency requirements in the TTPA are not always clear, as it isn’t always obvious if they should appear in a first information layer or a subsequent layer. The degree of detail of information to be provided to data subjects also was an important topic, leading to diverging views on how technical the information should be.
5. GDPR roles are a significant question in this context, and some form of joint controllership could be considered, but it is important for the EDPB to carefully consider limits to the scope of joint controllership in such a case.
6. Ultimately, some standardisation in terms of format and content of the information to be provided would be welcome, but more than that, there is a need for practical guidance from the EDPB, one that is tailored also to smaller players with often more limited resources.
Thanks to the European Data Protection Board for organising this event – and I hope they draw the right lessons from this!
GDPR privacy data protection adtech
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗